Oliver Nassar

GitHub Project: PHP-SecureSessions

June 09, 2012

Next in my GitHub Projects series, I'm going to cover the PHP-SecureSessions library.

What is this?

This library contains two classes which allow you to quickly and securely setup sessions for a web application. As it's name implies, it's centred around sessions being very secure, having cookies which are signed with a visitors IP address and user agent.

Why did I develop it?

As most of us do, I use sessions extensively when developing a more-than-basic web application or site. I wanted to have a library that I could really quickly drop-in, whereby I don't have to worry about if it's secure. To trust it.

The second class in this library, SMSession is designed in the same ethos: to quickly be able to throw in Memcached based sessions (important for load balanced setups) without too much effort.

What's included?

This project includes two classes which can be instantiated:

Both classes contain a variety of public methods which should be viewed in the source itself.

How do I use it?

One of these two classes ought to be instantiated early on in the request process. I do so by having a common include which immediately opens an SMSession instance, defines the Memcached server(s), sets the session (cookie) name, host (based on the $_SERVER['HTTP_HOST'] variable), and adds the server(s) to the instance.

Then? I just call the open method on the instance. And we're in business. From here, you can use the standard $_SESSION variable to read and write from/to the session.

Why did I abstract it out?

Once again, I wanted this library to be used to solve one simple challenge:
To open and manage a session, securely.

Additionally, I seperated the creation of a session from a memcached-powered session in order to allow flexibliity for developers who either don't have memcached installed on their server, or don't have root access to do so.

Finally, I would eventually like to create an APC powered session script, and this is very possible by having the SSession class as a parent, as there is no code in it that stipulates which engine should store a session's data.

PHP-Pagination is next.